FirstBlood-#17Stored XSS on
This issue was discovered on FirstBlood v1



On 2021-05-09, smhtahsin33 Level 3 reported:

Hello, I Found a Stored XSS in /drpanel/drapi/query.php?aptid=56914507 It triggers in Administrator Account.

Steps To Reproduce:**

  1. Visit http://firstbloodhackers.com:49202/book-appointment.html
  2. On the First Name Enter <marquee onstart=confirm1>XSS</marquee>
  3. Then Fillup everything and Send
  4. When the admin will visit the Appointment via /drpanel/drapi/query.php?aptid={{id}}
  5. It will popup there

Note: confirm has backticks ` in place of parenthases, the markdown is executing it as a bold text on 1

Impact: Inject Malicious Javascript

Kind Regards

P2 High

Endpoint: /drpanel/drapi/query.php?aptid=56914507

Parameter: fname

Payload: <marquee onstart=confirm`1`>XSS</marquee>


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name

Report Feedback

@zseano

Creator & Administrator


Nice find smhtahsin33! :)